Posts

CEOs’ Lack of Cyber Awareness Is Exposing UK Business To Major Risk

London, UK – Tuesday 16th July 2019 – The lack of CEO-specific security plans, failure to comply with plans in place and the growing number of unsecure smart devices in the home and places of travel (such as hotels) means that CEOs and other senior executives are regularly at risk of being targeted by cybercriminal networks, a new piece of research has revealed today.

The latest survey*, conducted by RedSeal amongst senior IT teams up to CIO level within UK businesses, unearthed a number of gaps in cybersecurity protocols and awareness amongst a CEO audience. Although the research demonstrated that many senior IT professionals have aimed to put CEO-specific cybersecurity plans in place, over half (54%) don’t believe that their CEO follows procedure and are exposing their organisation to potential compromise. Over a third (38%) also weren’t fully aware of the technology their CEO used in their own homes.

  • New research reveals that CEOs are disengaged from cybersecurity challenges and are unaware of many of the attacks on their business
  • Many CEOs still aren’t adhering to ‘out of office’ security measures put in place by their security teams
  • Smart technology is putting sensitive company information at risk, as CEOs become a major target for hackers and cybercriminals

The proliferation of smart devices is a danger to UK business

With the ever-changing digital working habits and behaviours of CEOs made possible by innovative mobile and smart technology the research found that cybersecurity measures aren’t being followed outside the traditional workplace — an enormous potential security oversight given 1 in 5 smart devices in the home** have been breached or compromised.

“Smart devices are important because they are new, unproven, and not built with security as a primary goal” said Dr. Mike Lloyd, CTO of RedSeal. “Smart devices compete on convenience and price. Security is usually an after-thought, if it’s addressed at all. Some popular smart devices, like smart speakers, compromise privacy even when working as intended — which is scary when you think about the opportunity this presents to people who want to spy on CEOs for commercial or national advantage. CEOs have wide access to their organisation’s network resources, the authority to look into most areas, and frequently see themselves as exempt from the inconvenient rules applied to others. This makes them ideal targets.”

UK business is also under attack but are we trying to hide it?

There is industry-wide confusion as to how many attacks there have been on UK business in the last 12 months. The UK Government’s recent Cyber Breaches report cited that only 38% of UK businesses have recorded an attack, whereas this most recent research from RedSeal is showing that, in fact, 81% of senior IT professionals admit to their company having suffered a breach.

75% of those IT pros surveyed also stated that their CEO must pay more attention to cybersecurity, with almost the same amount (74%) saying that their customers’ information has been put at risk because of a cyberattack or breach on their organisation.

The research also revealed that 42% of UK companies don’t have a cyber-response plan in place to inform customers of a security breach and that over a quarter (26%) will only report the major breaches to their CEO.

Lloyd concluded, “Despite its many benefits, the Internet is a dangerous place where new security threats can evolve and rapidly mutate. Perfect defence is illusory; in a complex and interdependent world, some attacks are bound to succeed.  Organisations must look to a strategy of resilience. They’ll survive only by planning in advance for how the inevitable successful attacks will be handled.”

ENDS

*An online survey was conducted by Atomik Research on behalf of RedSeal among 502 IT professionals from the UK. The research fieldwork took place on 19th-27th June, 2019. Atomik Research is an independent creative market research agency that employs MRS-certified researchers and abides to MRS code. To read a summary, please click here.

**A second online survey was conducted by Atomik Research among 2,004 UK consumers aged 18+. The research fieldwork took place on 19th-25th June, 2019. Atomik Research is an independent creative market research agency that employs MRS-certified researchers and abides to MRS code. To read a summary, please click here.

Using cyber insurance to run virtuous circles around cyber risk

Computer Fraud & Security Magazine | October 2018

By Dr. Mike Lloyd, Chief Technology Officer

In 2016, the Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, concluded that each of the 383 companies it surveyed had a “26% probability of a material data breach involving 10,000 lost or stolen records” within the “next 24 months”. Work this out over the long term, not for two years but for the projected life of your business and you must accept the certainty of data breach just as you accept the certainty of death and taxes. Breaches will happen. They will happen to you.

Is AI Resilient Enough for Security?

SIGNAL Magazine | October 22, 2018

By Dr. Mike Lloyd, RedSeal CTO

Machines need to be hard to fool and reliable under pressure.

Artificial intelligence can be surprisingly fragile. This is especially true in cybersecurity, where AI is touted as the solution to our chronic staffing shortage.

It seems logical. Cybersecurity is awash in data, as our sensors pump facts into our data lakes at staggering rates, while wily adversaries have learned how to hide in plain sight. We have to filter the signal from all that noise. Security has the trifecta of too few people, too much data and a need to find things in that vast data lake. This sounds ideal for AI.

Resilient regulation can help end the tech-consumer stalemate

The Hill | October 21, 2018

By Ray Rothrock, RedSeal CEO

The reason for the absence of meaningful dialogue and meaningful movement is that the two sides persist in choosing the wrong adjectives. They argue over preemptive federal legislation versus state legislation. They fight over tough legislation versus soft legislation.

What they should do is discard all of these modifiers and instead embrace, together, just one type of legislation: resilientWe need privacy regulation that promotes the resilience of data privacy and security. And we need it whether we run Google and Facebook or use Google and Facebook.

“Zero Trust” Is the Opposite of Business

Infosecurity Magazine| September 14, 2018

By Dr. Mike Lloyd, RedSeal CTO

The term zero trust has been cropping up a lot recently, with even a small conference on the topic recently. It sounds like an ideal security goal, but some caution is warranted. When you step back and consider the reason security is important – keeping organizations running – it’s not so clear that zero trust is really what we want.

I see the label zero trust as an over-reaction to the challenges we face in security. To the extent that the term means “be less trusting”, I agree. Look at our lack of success in stopping breaches.

Which is more valuable – your security or a cup of coffee?

The drumbeat of media coverage of new breaches continues, but it’s useful sometimes to look back at where we’ve been.  Each scary report of so many millions of records lost can be overwhelming.  It certainly shows that our network defenses are weak, and that attackers are very effective.  This is why digital resilience is key – perfect protection is not possible.  But each breach takes a long time to triage, to investigate, and ultimately to clean up; a lot of this work happens outside the media spotlight, but adds a lot to our sense of what breaches really cost.

Today’s news includes a settlement figure from the Anthem breach from back in 2015 – a final figure of $115 million.  But is that a lot or a little?  If you had to pay it yourself, it’s a lot, but if you’re the CFO of Anthem, now how does that look?  It’s hard to take in figures like these.  So one useful way to look at it is how much that represents per person affected.

Anthem lost 79 million records, and the settlement total is $115 million.  This means the legally required payout comes out just a little over a dollar per person – $1.46 to be exact.

That may not sound like a lot.  If someone stole your data, would you estimate your loss to be a bit less than a plain black coffee at Starbucks?

Of course, this figure is only addressing one part of the costs that Anthem faced – it doesn’t include their investigation costs, reputation damage, or anything along those lines.  It only represents the considered opinion of the court on a reasonable settlement of something over 100 separate lawsuits.

We can also look at this over time, or over major news-worthy breaches.  Interestingly, it turns out that the value of your data is going up, and may soon exceed the price of a cup of joe.  Home Depot lost 52 million records, and paid over $27 million, at a rate of 52 cents per person.  Before that, Target suffered a major breach, and paid out $41 million (over multiple judgements) to around 110 million people, or about 37 cents each.  In a graph, that looks like this:

Which is more valuable – your security or a cup of coffee?

 

Note the escalating price per affected customer. This is pretty startling, as a message to the CFO.  Take your number of customers, multiply by $1.50, and see how that looks.  Reasonably, we can expect the $1.50 to go up.  Imagine having to buy a Grande Latte for every one of your customers, or patients that you keep records on, or marketing contacts that you track.  The price tag goes up fast!

Russia’s Alternate Internet

New York Magazine | July 13, 2018

By Dr. Mike Lloyd, RedSeal CTO

Russia has nearly completed an alternative to the Domain Name System — the common “phone book” of the internet that translates numerical IP addresses to readable text like “Amazon.com” and “NYMag.com.” When implemented, the DNS alternative could separate Russia and its allies from the rest of the connected internet — a possibility that, however remote, has experts worried about a “balkanization” of a global network.

Last November, the Russian Security Council announced its ambition to create an independent internet infrastructure for Russia and the other members of BRICS (Brazil, India, China, and South Africa). According to reports, the Russian government sought to create the alternative internet to protect itself from American and Western manipulation of internet services and avoid “possible external influence.” (Sound familiar?)

ICS Security: ‘The Enemy Is in the Wire’

Dark Reading | July 12, 2018

By Wayne Lloyd, RedSeal Federal CTO

Threats to industrial control systems are real and frightening. The government is taking steps to keep us safer in the future, but there are near-term steps you can take right now.

“The enemy is in the wire.” During the Vietnam War, this call would ring out to alert everyone that the enemy was in the perimeter of fortifications. In our cyber world, we’ve known this for years; however, the call rang frighteningly true in May of this year.

This particular enemy was first discovered in August 2017, as a new piece of malware, now known as Trisis. A Middle Eastern oil and gas company found the malware when its industrial equipment started shutting down.

The Only Cybersecurity Metric That Matters for Digital Resilience

While the focus on cybersecurity has never been higher, the cybersecurity community – a combined team of solution providers, CISOs, boards and others– haven’t been able to stop most attacks from being successful.

Why?

We have focused too much of our efforts on network perimeters, working to detect and prevent cyber attacks. We haven’t done enough to build resilience INSIDE the network, the part of the equation we can control.

Organizations need to build resilience into their infrastructures and adopt an end-end digital resilience strategy to survive and thrive.

How big is the problem? There are 1400+ vendors focused on cybersecurity. Nearly $100B was spent on information security just in 2016. Yet billions of records have been compromised.

The reason is we have not addressed fundamental issues inside the network. Companies need to build resilience into their infrastructure and adopt a corporate-wide digital resilience strategy.

A few years back, RedSeal gathered 800 surveys during the RSA Conference. We learned that:

  • Practitioners are drowning in data
  • They can’t measure the performance or impact of their security efforts
  • Current solutions can’t turn data into action
  • They need useful security metrics

The problem with measuring security is that security is the absence of something. You can’t report how often you were NOT on the cover of Washington Post. Many people start by counting what they are doing. But this measures busy-ness, not business. How can you show actual improvements in cybersecurity?

The Shifting Terrain and Digital Resilience

According to the 2016 TechCrunch CIO Report, 82% of global IT leaders report significant labor shortages in cybersecurity. This, combined with issues such as software defined everything, digital transformation, hybrid datacenters, IoT, and shadow IT, means a big shift in thinking is required. We don’t have enough people to throw at the problem.

Digital resilience is a comprehensive strategy across all IT functions and business processes to minimize the impact of cyber attacks and network interruptions. It’s a different way of thinking.  Being resilient means simultaneously striving to minimize each attack and being able to recover quickly from a strike. Resilient organizations have fewer, smaller incidents, understand and respond to them faster, and can rapidly return to normal operations afterwards.

It’s not enough to see the devices in your “as-built” infrastructure – you have to really understand how they are configured and automatically get a list of vulnerabilities.

And that list of vulnerabilities is a problem; there are too many to act on. Even knowing asset value and vulnerability severity aren’t enough to fully understand the risk. You need to understand if they can be accessed. A high value asset with a vulnerability that is segmented behind a firewall is not as big a risk as one that is slightly lower in value, but has an open path to the internet.

RedSeal’s Digital Resilience Score

Resilient organizations must focus on three main areas—being hard to hit, being ready for an attack when it comes, and being able to recover quickly.

RedSeal helps these organizations identify defensive gaps, run continuous penetration tests to measure readiness, and map their entire network infrastructure.

From these capabilities, RedSeal calculates one unified number, so managers, boards of directors and executive management have the understandable and actionable metric they need to drive towards digital resilience.

RedSeal’s Digital Resilience Score focuses on three essential questions:

  • Do you have defects that are easy to hit? RedSeal evaluates how weaknesses from incorrectly configured devices and third-party software could impact you.
  • Can an attacker reach your valuable assets? RedSeal evaluates how well your network is structured, identifying attack pathways and chains of vulnerability that reduce your ability to withstand and recover from attack.
  • Is your network understanding complete? By identifying previously unknown parts of your network, RedSeal evaluates how well you know what your digital infrastructure looks like. With a complete picture, you can be sure you’re managing all assets on your network. During an attack, you’ll be able to understand where an attacker can reach. And, you’ll be able to recover much more quickly.

Instead of getting stuck in an ineffective focus on measuring activity, resilient organizations use RedSeal’s DRS. It works like a creditworthiness score, deducting pointing for defensive gaps, weaknesses revealed by attack simulations, and blind spots in your network awareness. A higher score means there is a higher likelihood that your business can withstand an incident and keep running.

It’s the security measure that matters for digital resilience.

How to solve the human challenges of cybersecurity

TechRepublic | June 27, 2018

With Ray Rothrock, RedSeal CEO

To respond to cyberattacks, companies must invest in training and education, says RedSeal CEO Ray Rothrock in a talk with TechRepublic Senior Writer Dan Patterson.